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(54) Operation of trusted state In computing platform 



(57) A computing entity comprises a trusted moni- 
toring component having a first processing means and 
a first memory means, the trusted monitoring compo- 
nent being a self-contained autonomous data process- 
ing unit, and a computer platform having a main 
processing means and a main memory area, along with 
a plurality of associated physical and logical resources 
such as peripheral devices including printers, modems, 
application programs, operating systems and the like. 
The computer platform Is capable ot entering a plurality 
ot different states of operation, each state of operation 
having a different level of security and trustworthiness. 
Selected ones of the states comprise trusted states in 
which a user can enter sensitive confidential information 
with a high degree of certainty that the computer plat- 
form has not been compromised by external influences 
such as viruses, hackers or hostile attacks. To enter a 
trusted state, references made automatically to the 
trusted component, and to exit a trusted state reference 
must be made to the trusted component On exiting the 
trusted stale, all references to the trusted state are de- 
leted from the computer platfomn. On entering the trust- 
ed state, the state is entered in a reproducible and 
known manner, having a reproducible and known con- 
figuration which is confirmed by the trusted component. 




Fig. 7 



Prhtod by Jouw. 76001 RARIS (FR) 



EP 1 085 396 A1 



Description 

Fieid of the invention 



j[uwu 1 J 



iiie fjieaciii II IVOMIIV./I t 



computers, and particularly, although not exclusively, to 
a computing entity which can be placed into a trusted 
state, and a method of operating the computing entity 
to achieve the trusted state, and operation of the com- 
puting entity when in the trusted state. 

Background to the Invention 

[0002] Conventional prior art mass market computing 
platforms include the well-known personal computer 
(PC) and competing products such as the Apple Macin- 
tosh*™*, and a proliferation of known palm-top and laptop 
personal computers. Generally, markets for such ma- 
chines fall into two categories, these being domestic or 
consumer, and corporate. A general requirement for a 
computing platform for domestic or consumer use Is a 
relatively high processing power, Internet access fea- 
tures, and multi-media features for handling computer 
games. For this type of computing platform, the Micro- 
soft Windows<B> '95 and '98 operating system products 
and Intel processors dominate the market. 
[0003] On the other hand, for business use. there are 
a plethora of available proprietary computer platform so- 
lutions available aimed at organizations ranging from 
small businesses to multi-national organizations. In 
many of these applications, a server platform provides 
centralized data storage, and application functionality 
for a plurality of client stations. For business use, other 
key criteria are reliability, networking features, and se- 
curity features. For such platforms, the Microsoft Win- 
dows NT 4.0^" operating system is common, as well as 
the Unlx^^ operating system. 

[0004] With the increase in commercial activity trans- 
acted over the Internet, known as "e-commerce". there 
has been much interest in the prior art In enabling data 
transactions between computing platforms over the In- 
ternet. However, because of the potential for fraud and 
manipulation of electronic data, in such proposals, fully 
automated transactions with distant unknown parties on 
a wide-spread scale as required for a fully transparent 
and efficient market place have so far been held back. 
The fundamental issue Is one of trust between interact- 
ing computer platforms for the making of such transac- 
tions. 

[0005] There have been several prior art schemes 
which are aimed at increasing the security and trustwor- 
thiness of computer platforms. Predominantly, these re- 
ly upon adding in security features at the application lev- 
el, that is to say the security features are not Inherently 
imbedded in the kernel of operating systems, and are 
not built in to the fundamental hardware components of 
the computing platform. Portable computer devices 
have already appeared on the market which include a 



smart card, which contains data specific to a user, which 
is Input into a smart card reader on the computer. Pres- 
ently, such smart cards are at the level of being add-on 
extras to conventional personal computers, and in some 

Although these prior art schemes go some way to im- 
proving the security of computer platforms, the levels of 
security and trustworthiness gained by prior art 
schemes may be considered Insufficient to enable wide- 

10 spread application of automated transactions between 
computer platforms. For businesses to expose signifi- 
cant value transactions to electronic commerce on a 
widespread scale, they require confidence in the trust- 
worthiness of the underlying technology. 

IS [0006] Prior art computing platforms have several 
problems which stand In the way of increasing their in- 
herent security: 
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The operating status of a computer system or plat- 
form and the status of the data within the platform 
or system is dynamic and difficult to predict. It is dif- 
ficult to determine whether a computer platform is 
operating correctly because the state of the compu- 
ter platform and data on the platform is constantly 
changing and the computer platform Itself may be 
dynamically changing. 



• From a security point of view, commercial computer 
platforms, in particular client platforms, are often 

30 deployed in environments which are vulnerable to 
unauthorized modification. The main areas of vul- 
nerability Include modificatton by software loaded 
by a user, or via a network connection. Particularly, 
but not exclusively, conventional computer plat- 
es forms may be vulnerable to attack by virus pro- 
grams, with varying degrees of hostility. 

• Computer platforms may be upgraded or their ca- 
pabilities may be extended or restricted by physk^al 

40 modification, i.e. addition or deletion of components 
such as hard disk drives, peripheral drivers and the 
like. 

[0007] It is known to provide security features forcom- 
45 puter systems, which are embedded in operating soft- 
ware. These security features are primarily aimed at 
providing division of information within a community of 
users of the system. In the known Microsoft Windows 
NT™ 4.0 operating system, there exists a monitoring fa- 
so cility called a "system log event viewer" in which a log 
of events occurring within the platform is recorded into 
an event log data file which can be inspected by a sys- 
tem administrator using the windows NT operating sys- 
tem software. This facility goes some way to enabling a 
55 system administrator to security monitor pre*selected 
events. The event logging function in the Windows NT*"* 
4.0 operating system provides system monitoring. 
[0008] In terms of overall security of a computer plat- 
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form, a purely software based system is vulnerable to 
attack, for example by viruses of which there are thou- 
sands of different varieties. Several proprietary virus 
finding and correcting applications are known, for exam- 
ple the Dr Solomons ™ virus toolkit program The Micro- 
soft Windows NT^M 4.0 software includes a virus guard 
software, which is preset to look for known viruses. How- 
ever, virus strains are developing continuously, and the 
virus guard software will not give reliable protection 
against newer unknown viruses. New strains of virus are 
being developed and released Into the computing and 
internet environment on an ongoing basis. 
[0009] Further, prior art monitoring systems for com- 
puter entitles focus on network nwnitoring functions, 
where an administrator uses network management soft- 
ware to monitor performance of a plurality of network 
computers. In these known systems, trust in the system 
does not reside at the level of Individual trust of each 
hardware unit of each computer platform in a system. 

Summary of the Invention 

[0010] One object of the present invention is to pro- 
vide a computing entity in which a third party user can 
have a high degree of confidence that the computing 
entity has not been corrupted by an external influence, 
and is operating In a predictable and known manner. 
[0011] Another object of the present invention is to 
simplify a task of judging whether a trustworthiness of a 
computing entity is sufficient to perform a particular task 
or set of tasks or type of task. 

[0012] In specific implementations of the present In- 
vention, a computing entity is capable of residing in a 
plurality of distinct operating states. Each operating 
state can be distinguished from other operating states 
using a set of integrity metrics designed to distinguish 
between those operating states. 
[001 3] According to first aspect of the present inven- 
tion there is provided a computing entity comprising: 

a computer platform comprising a plurality of phys- 
ical and logical resources including a first data proc- 
essor and a first memory means; 

a monitoring component comprising a second data 
processor and a second memory means; 

wherein, said computer platform is capable of op- 
erating in a plurality of different states, each said state 
utilising a corresponding respective set of individual 
ones of said physical and logical resources; 

wherein said monitoring component operates to 
determine which of said plurality of states said computer 
platform operates in. 

[0014] Preferably a said memory means contains a 
set of instructions for configuration of said plurality of 
physical and logical resources of said computer platform 
into said pre-determlned state. 



[0015] Preferably exit of said computer platform from 
said pre-determlned state is monitored by said monitor-, 
ing component. 

[0016] A BIOS file may be provided within the moni- 
toring component itself. By providing the BIOS file within 
the monitoring component, the BIOS file may be Inher- 
ently trusted. 

[0017] In an alternative embodiment, said computer 
platform may comprise an internal firmware component 
configured to compute a digest data of a BIOS file data 
stored in a predetermined memory space occupied by 
a BIOS file of sard computer platform. 
[0018] According to second aspect of the present In- 
vention there Is provided a method of activating a com- 
puting entity comprising a computer platform having a 
first data processing means arKi a first memory means 
and a monitoring component having a second data 
processing means and a second memory means, into 
an operational state of a plurality of pre-configured op- 
erational stales into which said computer platform can 
be activated, said method comprising the steps of: 

selecting a state of said plurality of pre-configured 
operational states into which to activate said com- 
puter platform; 

activating said computer platform into said selected 
state according to a set of stored instructions; and 

wherein said monitoring component monitors ac- 
tivation into said selected state by recording data de- 
scribing which of said plurality of pre-configured states 
said computer platform is activated into. 
[0019] Said monitoring component may continue to 
monitor said selected state after said computer platform 
has been activated to said selected state. 
[0020] Said monitoring component may generate a 
state signal in response to a signal input directly to said 
monitoring component by a user of said computing en- 
tity, said state signal containing data describing which 
said state said computer platform has entered. 
[0021] In one embodiment, said set of stored instruc- 
tions which allow selection of said state may be stored 
in a BIOS file resident within said monitoring compo- 
nent. Once selection of a said state has been made, ac- 
tivation of the state may be carried out by a set of master 
boot Instructions which are themselves activated by the 
BIOS. 

[0022] Preferably the method corhprises the step of 
generating a menu for selection of a said pre-configured 
state from said plurality of pre-configured states. 
[0023] The method may comprise the step of gener- 
ating a user menu displayed on a user interface for se- 
lection of a said pre-configured state from said plurality 
of pre-configured states, and said step of generating a 
slate signal comprises generating a state signal in re- 
sponse to a user input accepted through said user in- 
terface. 
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[0024] Alternatively, the predetermined state may be 
automaticaHy selected by a set o1 instructions stored on 
a smartcard. which selects a state option generated by 
cfliH BIOS. The selection ot states may be made auto- 
matically via a set of selection instructions to instruct 
said BIOS to select a state from said set of state options 
generated by said BIOS. 

[0025] Said step of monitoring a said state may com- 
prise: 

immediately before activating said computer plat- 
form; creating by means of a firmware component 
a digest data of a first pre-allocated memory space 
occupied by a BIOS file of said computer platform; 

writing said digest data to a second pre-allocated 
memory space to which only said firmware compo- 
nent has write access; and 

said monitoring component reading said digest data 
from said second pre-allocated memory space. 

[0026] Said step of monitoring a said state into which 
said computer platform is activated may comprise: 

executing a firmware component to compute a di- 
gest data of a BIOS file of said computer platform; 

writing said digest data to a predetermined location 
in said second memory means of said monitoring 
component. 

[0027] Said step of activating said computer platform 
Into said selected state may comprise: 

at a memory location of said first memory means, 
said location occupied by a BIOS file of said com- 
puter platform, storing an address of said monitor- 
ing component which transfers control of said first 
processor to said monitoring component; 

storing in said monitoring component a set of native 
instructions which are accessible Immediately after 
reset of said first processor, wherein said native in- 
structions instruct said first processor to calculate a 
digest of said BIOS file and store said digest data 
in said second memory means of said monitoring 
component; and 

said monitoring component passing control of said 
activation process to said BIOS file, once said di- 
gest data Is stored In said second memory means. 

[0026] Said step of monitoring said state Into which 
said computer platform is activated may comprise: 

after said step of activating said computer platform 
Into said selected state, monitoring a plurality of log- 
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ical and physical components to obtain a first set of 
metric data signals from those components, said 
metric data signals describing a status and condi- 
tion of said components; 

comparing said first set of metric data signals de- 
termined from said plurality of physical and logical 
components of said computer platform, with a set 
of pre-recorded metric data stored In a memory ar- 
ea reserved for access only by said monitoring com- 
ponent; and 

comparing said first set of metric data signals ob- 
tained directly from said plurality of physical and 
logical components with said set of pre-stored met- 
ric data signals stored in said resen/ed memory ar- 
ea. 

[0029] According to a third aspect of the present in- 
vention there Is provided a method of operating a com- 
puting entity comprising a computer platform having a 
first data processing means and a first memory means, 
and a monitoring component having a second data 
processing means and a second memory means, such 
that said computer platform enters one of a plurality of 
possible pre-determined operating states said method 
comprising the steps of: 

in response to an input from a user interface, gen- 
erating a state signal, said state signal describing a 
selected state into which said computer platform is 
to be activated Into; 

activating said computer platform into a pre-deter- 
mined state, In which a known set of physical and 
logical resources are available for use in said state 
and known processes can operate in said state; 

from said pre-determined state, entering a configu- 
ration menu for reconfiguration of said monitoring 
component; and 

modifying a configuration of said monitoring com- 
ponent by entering data via a user interface in ac- 
cordance with an Instruction set comprising said 
configuration menu. 

[0030] Said step of entering said monitoring compo- 
nent configuration menu may comprise: 

entering a confirmation key signal directly into said 
monitoring component, said confimnation key signal 
generated in response to a physical activation of a con- 
firmation key, 

[0031] Said step of entering said monitoring compo- 
nent configuration menu may comprise entering a pass- 
word to said trusted component via a user interface. 
[0032] According to a fourth aspect of the present in- 
vention there is provided a method of operation of a 
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computing entity comprising a monitoring component 
having a first data processing means and a first memory 
means, and a computer plattomn having a second data 
processing means and a second memory means, said 
method comprising the steps.of : 

entering a first state of said computer entity, wherein 
in said first state are available a plurality of pre-se- 
lected physical and logical resources; 

commencing a user session in said first slate, in 
which said user session a plurality of data inputs are 
received by said computer platform, said second 
data processing means performing data processing 
on said received data; 

reconfiguring said plurality of physical and logical 
resources according to instructions received in said 
session; 

generating a session data describing a configura- 
tion of said physical and logicai resources; 

generating a plurality of user data resulting from 
processes operating within said session; 

storing said user data; 

storing session data; 

exiting said session; and 

exiting said computer platform from said state. 

[0033] Said method may further comprise the step of 
reconfiguring said monitoring component during said 
user session in said first state. Thus, the monitoring 
component may be reconfigured from a trusted state of 
the computer platform. 

Brief Description of the Drawings 

[0034] For a better understanding of the invention and 
to show how the same may be carried into effect, there 
will now be described by way of example only, specific 
embodiments, methods and processes according to the 
present invention with reference to the accompanying 
drawings In which: 

Fig. 1 illustrates schennatically a computer entity ac- 
cording to first specific embodiment of the present 
invention; 

Fig. 2 Illustrates schematically connectivity of se- 
lected components of the computer entity of Fig. 1 ; 

Fig. 3 illustrates schematically a hardware architec- 
ture of components of the computer entity of Fig, 1 ; 



Fig. 4 illustrates schematically an architecture of a 
trusted component comprising the computer entity 
of Fig, 1; 

5 Fig. 5 illustrates schematically a logical architecture 
of the computer entity, divided into a monitored user 
space resident on a computer platform and a trust- 
ed space resident on the trusted component; 

10 Fig. 6 illustrates schematically a set of physical and 
logical resources comprising the computer entity, 
wherein different combinations of usage and acces- 
sibility to the individual physical and logical resourc- 
es corresponds with operation in different states of 
IS the computing entity; 

Fig. 7 Illustrates schematically an example of a state 
diagram illustrating a set of states into which the 
computing entity can be placed, and processes for 
20 entry and exit from those states; 

Fig. 8 illustrates schematically a use model followed 
by a user of the computing entity for entry and exit 
from individual states of the computing entity; 

2S 

Fig. 9 illustrates schematically steps of a process 
for entry into a trusted state; 

Fig. 10 Illustrates schenr^tically a first mode of op- 
30 eration of the computing entity in a trusted state, in 
which a first session is carried out by a user 

Fig. 11 illustrates schematically a second session 
carried out in a trusted state, wherein the second 
3S session is carried out after closure of the first ses- 
sion; and 

Fig, 12 illustrates schematically a second mode of 
operation of the computer entity in which reconfig- 
40 uration of a tmsted component may be made by a 
user. 

netailed Description of the B est Mode for Carrying 
Out the Invention 

45 

[0035] There will now be described by way of example 
the best mode contemplated by the inventors for carry- 
ing out the invention. In the following description numer- 
ous specific details are set forth in order to provide a 

so thorough understanding of the present invention. It will 
be apparent however, to one skilled in the art. that the 
present invention may be practiced without limitation to 
these specific details. In other instances, well known 
methods and structures have not been described in de- 

ss tail so as not to unnecessarily obscure the present in- 
vention. 

[0036] Specific embodiments of the present invention 
comprise a computer platform having a processing 
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means and a memoiy means, and which is physically 
associaled with a component, known herein after as a 
•trusted componenf which monitors operation of the 
rftmouter olatform by collecting metrics data from the 
computer platlorm. and which is capable of verifying to 
third party computer entities interacting with the compu- 
ter platform to the correct functioning of the computer 

SwaTlT Two computing entities each provisioned with 
such a trusted component, may Interact with each other 
with a high degree of 'trust'. That is to say. where the 
first and second computing entities interact with each 
other the security of the irtteraction is enhanced com- 
pared to the case where no trusted component is 
present, because: 

. A user of a computing entity has higher confidence 
in the integrity and security of hisAier own computer 
entity and in the integrity and security of the com- 
puter entity belonging to the other computing entity 

. Each enttty is confident that the other entity is in fact 
the entity which it purports to be. 

. Where one or both of the entities represent a party 
to a transaction, e.g. a data transfer transaction, be- 
cause of the in-bullt trusted component, third party 
entities interacting wKh the entity have a high de- 
gree of confidence that the entity does in fact rep- 
resent such a party. 

. The trusted component increases the inherent se- 
curity of the entity itself, through verification and 
monitoring processes implemented by the trusted 
component. 

. The computer entity is more lil^ely to behave in the 
way It is expected to behave. 

[00381 in this specification, the term "trusted" when 
used in relation to a physical or logical component, is 
used to mean a physical or logical component which al- 
ways behaves in an expected manner The behavior of 
that component is predictable and known. Trusted com- 
ponents have a high degree of resistance to unauthor- 
ized modification. . 
ro039] In this specification, the temi "computer plat- 
form" is used to refer to at least one data processor and 
at least one data storage means, usually but not essen- 
tially with associated communications facilities e.g. a 
plurality of drVers. associated applications and data 
files, and which may be capable of interacting with ex- 
ternal entities e.g. a user or another computer entity, for 
example by means of connection to the internet, con- 
nection to an external network, or by having an input 
port capable of receiving data stored on a data storage 
medium e.g. a CD ROM, floppy disk, ribbon tape or the 
like The term "computer platfomn" encompasses the 



main data processing and storage facility of a computer 

ra040] Referring to Fig. 1 herein, there is illustrated 
schematically one example of a computer entity accord- 
. . i^^iamoniatiftn of the oresent invention. 

o ing i(jaopoviii%< ■>"r" • . .u^,^ 

Referring to Fig. 2 of the accompanying drawings, there 
is illustrated schematically physicalconnectivity of swrie 
of the components of the trusted computer entity of Fig. 
1 Referring to Fig. 3 herein, there is illustrated Sche- 
ie matically an architecture of the trusted computer entity 
of Figs. 1 and 2. showing physical connectivity of com- 
ponents of the entity. ■i.«^h<»«in 
[0041] In general, in the best mode described herein, 
a trusted computer entity comprises a computer plat- 
16 form consisting of a first data processor, and a first mem- 
ory means, together with a trusted component which 
verifies the integrity and correct functioning of the com- 
puting platform. The trusted component comprises a 
second data processor and a second memory means. 
20 which are physically and logically distinct from the first 
data processor and first mentwry means. 
[0042] In the example shown in Figs. 1 to 3 herein, 
the trusted computer entity is shown in the form of a per- 
sonal computer suitable for domestic use or business 
ss use However, it will be understood by those skilled in 
the art that that this is just one specifte embodiment of 
the invention, and other embodiments ol the invention 
may take the form of a palmtop computer, a laptop com- 
puter, a server-type computer, a mobile phone-type 
30 computer, or the like and the Invention is limited only by 
the scope of the claims herein. In the best mode exam- 
ple described herein, the computer entity comprises a 
display monttor 100; a keyboard data entry means 101: 
a casing 102 comprising a mothertjoard on which is 
35 mounted a data processor; one or more data storage 
means e.g. hard disk drives; a dynamic random access 
memoiy: various input and output ports (not illusttated 
inFig ivasmartcardreaderlOSforacceptingauser's 
smart card; a confirmation key 104. which a user can 
40 activate when confirming a transaction via the twsted 
computer entity; and a pointing device, e.g. a mouse or 
trackball device 1 05; and a trusted component. 
100431 Referring to Fig. 2 herein, there are illustrated 
some of the components comprising the trusted compu- 
45 ter entity, including keyboard 101. which incorporates 
confirmation key 1 04 and smart card reader 103; amain 
motherboard 200 on whfch is mounted first data proc- 
essor 201 and trusted component 202, an example of a 
hard disc drive 203. and nrKjnitor 100. Additional com- 
so ponents of the trusted computer entity, include an inter- 
nal frame to the casing 102, housing one or more local 
area network (LAN) ports, one or more modem ports, 
one or more power supplies, cooling fans and the like 

(not shown in Fig. 2). . ^ . c- c 

55 ro044] In the best mode herein, as Illustrated in Fig. 3 
herein, main motherboard 200 is manufactured com- 
prising a first data processor 201 ; and preferabV a per- 
manently fixed trusted component 202; a local memory 
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device 300 to the first data processor, the local memory 
device being a fast access memory area. e.g. a random 
access memory: a BIOS memory area 301 ; smart card 
interlace 305; a plurality of control lines 302; a plurality 
of address lines 303; a confirmation key interface 306; 
and a data bus 304 connecting the processor 201 , trust- 
ed component 202, memory area 300. a BIOS memory 
component 301 and smart card interface 305. A hard- 
ware random number generator RNG 309 is also able 
to communicate with the processor 201 using the bus 
304, 

[0045] External to the motherboard and connected 
thereto by data bus 304 are provided the one or more 
hard disk drive memory devices 203. keyboard data en- 
try device 101. pointing device 105, e.g. a mouse, track- 
ball device or the like; monitor device 100; smart card 
reader device 103 for accepting a smart card device as 
described previously; the disk drive(s), keyboard, mon- 
itor, and pointing device being able to communicate with 
processor 201 via said data bus 304; and one or more 
peripheral devices 307. 308. for example a modem, 
printer scanner or other known peripheral device. 
[0046] To provide enhanced security confirmation key 
switch 104 is hard wired directly to confirmation key in- 
terface 306 on motherboard 200, which provides a direct 
signal input to trusted component 202 when confirma- 
tion key 104 is activated by a user such that a user ac- 
tivating the confirmation key sends a signal directly to 
the trusted component, by-passing the first data proc- 
essor and first memory means of the computer platform, 
[0047] In one embodiment the confirmation key may 
comprise a simple switch. Confirmation key 104. and 
confirmation key driver 306 provide a protected commu- 
nication path (POP) between a user and the trusted 
component, vyrfiich cannot be interfered with by proces- 
sor 201 , which by-passes data bus 304 and which is 
physically and logically unconnected to memory area 
300 or hard disk drive memory device(s) 203. 
[0048] Trusted component 202 is positioned logically 
and physically between monitor 100 and processor 201 
of the computing platform, so that the trusted compo- 
nent 202 has direct control over the views displayed on 
monitor 100 which cannot be interfered with by proces- 
sor 201. 

[0049] The trusted component lends its identity and 
trusted processes to the computer platform and the 
trusted component has those properties by virtue of its 
tamper-resistance, resistance to forgery, and resistance 
to counterfeiting. Only selected entities with appropriate 
authentication mechanisms are able to influence the 
processes running inside the trusted component. Nei- 
ther a user of the trusted computer entity, nor anyone or 
any entity connected via a network to the computer en- 
tity may access or interfere with the processes running 
inside the trusted component. The trusted component 
has the property of being "inviolate". 
[0050] Smart card reader 1 03 is wired directly to smart 
card interface 306 on the motherboard and does not 



connect directly to data bus 304. Alternatively, smart 
card reader 103 may be connected directly to data bus 
304. On each individual smart card may be stored a cor- 
responding respective image data which is different for 

5. each smart card. For user interactions with the trusted 
component, e.g. for a dialogue box monitor display gen- 
erated by the trusted component, the trusted component 
takes the image data from the user's smart card, and 
uses this as a background to the dialogue box displayed 

w on the monitor 100. Thus, the user has confidence that 
the diatogue box displayed on the monitor 100 is gen- 
erated by the trusted component. The image data is 
preferably easily recognizable by a human being in a 
manner such that any forgeries would be immediately 

t5 apparent visually to a user. For example, the image data 
may comprise a photograph of a user. The image data 
on the smart card may be unique to a person using the 
smart card. 

[0051] Referring to Fig. 4 herein, there is illustrated 

20 schematically an internal architecture of trusted compo- 
nent 202. The trusted component comprises a proces- 
sor 400. a volatile memory area 401; a non-volatile 
memory area 402; a memory area storing native code- 
403; and a memory area storing one or a plurality of 

25 cryptographic functions. 404, the non-volatile memory 
402. native code memory 403 and cryptographic mem- 
ory 404 collectively comprising the second memory 
means herein before referred to. 
[0052] Trusted component 202 comprises a physical- 

00 ly and logically independent computing entity from the 
computer platform. In the best mode herein, the trusted 
component shares a motherboard with the computer 
platform so that the trusted component is physically 
linked to the computer platfomn. In the best mode, the 

35 trusted component is physically distinct from the com- 
puter platform, that is to say it does not exist solely as 
a sub-functionality of the data processor and memory 
means comprising the computer platform, but exists 
separately as a separate physical data processor 400 

40 and separate physrcal memory area 401 . 402. 403. 404. 
By providing a physically present trusted component 
separate from a main processor of the computer entity 
the trusted component becomes harder to mimic or 
forge through software Introduced onto the computer 

45 platform. Another benefit which arises from the trusted 
component being physical, separate from the main 
processor of the platform, and tamper resistant is that 
the trusted component cannot be physically subverted 
by a local user, and cannot be logically subverted by ei- 

50 ther a local user or a remote entity. Programs within the 
trusted component are pre-loaded at manufacture of the 
trusted component in a secure environment. The pro- 
grams cannot be changed by users, but may be config- 
ured by users, if the programs are written to permit such 

55 configuration. The physicality of the trusted component, 
and the fact that the trusted component is not configura- 
ble by the user enables the user to have confidence in 
the inherent integrity of the trusted component,, ahd 
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therefore a high degree ol trusf ir. the °P«^^"^ 
presence of the trusted component on the corrputer 

n.ferrina to Fig. 5 herein, there is illustrated 
srh'ematical^ a logical architecture of the computer en- 
titv 500 The logical architecture has a same basic d vi 
ston between the computer platform, and the trusted 
cS^ponent, as is present with the physical archrterture 
Srcribed in Figs. 1 to 3 herein. That is to say, the trus ed 
t^vo^oUs logically distinct from the computer plat- 
forrtrv^i=hKis%ysicallyre^ed.Thec«m^^^^^^^ 
comprises a user space 501 being a logics ^P^<^^^^^ 
is physically resident on the computer platlomi (the f ret 
prSIssor and first data storage means) and a trusted 
^^ponent space 502 being « '°9ical space^^^ 
Dhvsicallv resident on the trusted component 202. In the 
uSer space 501 are one or a pluraltty of drivers 503. one 
oSSftyolapplicationsprograms504,afile storage 

Treali? smart card reader 103; smart card interface 
305 and a software agent 506 which operates to per- 
f orm operations in the user space and report back to 
t°uSed component 202. The trusted component space 
Ta TogL area based upon and physically resident m 
he trusted component, supported by the second data 
processor and second memory area of the tmsted com- 
po^erJt. confirmation key device 104 SnP^te d-rectjr to 
fhe trusted component space 502, and monrtor 100 re- 
c^ves images directly from the trusted componen 
space 502 External to the computer entity are external 
Smmunications netv^orks e.g. the ^-^-'-^^^^^^^ 
various local area networks, wide area networks 508 
which are connected to the user space via the drivers 
^3 which may include one or more modern ports^^^^^ 
temal user smart card 509 inputs into smart card reader 

;S;;'!nr;rs"d component space, are r^^^^^^^^^^ 
he trusted component rtself, displays generated by the 

Jus ted?°mP°^^^^^ °" 

key 1M. inputting a confirmation signal via confirmation 

fSsttt^fSstmodeforcarryingoutthe-.^^^^^^^^^^ 
he computing entrty has a pluralrty of modes of opera 
tion referred to herein as operating states. Different 
the Dluralrtv of operating states allow the com- 
Tu'na enT^t pertom, cJflerent sets of tasks and tunc 
SSty in some of the individual states, complex oper- 
rrcan be carried out with a terge number of de^ees 
o freedom, and complexity. In °ther operating states 
°here are more restrictions on the behavior ol the com- 

fS"?he level of nn.sf which can be placed on the 
SJnplting entity when operating in each of the pluralrty 
ot different states is related to: 

. The number of different operations which can be 

carried out in a particular state 
. ?,e complexity of operations which can be carried 

out in a particular state. 



A number of other states into which the compvrt|ng 
entity can move from the particular state, wrthout 
re-booting the computing entity. 
A number of different states from the part*! 
1 "l,e can be arrived at. without re-bcoting the 

rcorecCo1thecomput.gen«ywhen.^^ 
particular state, that is to say. how many other «m- 
SLg entities or devices the entity is connect^le 
to e.g. over the internet, a wide area network, or a 
local area network. «^«~ai 
Restrictions on input of data /"J'J^J^^' 
source, e.g. another computing entity, afloppy disk, 
a CD ROM. a modem, a LAN port, or the like 
?te^ri^Sns on output of data from the pa^ict^^ 
state to other computing entities, e.g. whether da^ 
can be saved to a CD writer, floppy disc drive or 
exported through an interfacetoafurther compter 

enittty over the inte.met. a kwal area network, or a 
wide area network. u^^^^r. 
An amount of. and a reliability of. internal monrtoring 
pr^^sses wtthin the computer entity which occur in 
fhe particular state; that is to say. the amount and 
reteSy Of a set of metrics applied by the trusted 
component when in that state. 
. A number of checks which need to be made before 

a user can enter the particular state. 
. A difficulty of bypassing one or a plurality of che^^ 

Which need to be made before a user can enterthe 
oarticular State. 
. A difficu«y of overcoming, without bVPas^S. on« 
or a plurality of checks whteh are made before a us 
er of tSe computer entity can enter the computing 
entity into the particular state. 

[00671 The trust placed in the computer entity is com- 
posed of two separate parts; 

. The trust placed in the trusted component itself. 
. Thecertainty withwhichthetrustedcomponentcan 

verily operatten of the computer entity. 

rooSS] AS described herein, levels or degrees of trust 
J^^ceJ in the computer entity are «";;7;f^f^;„^ 
46 relative to a level ol trust which is placed in the trusted 
component. Although the arrountol trust ^in a com^^^^^^^ 
entity is related to many factors, a key factor ^^^J^^ 
fng Vhal trust are the types, extent and ^"^^J^ ^J 
tegrily metric checks which the trusted component itself 

so carries out on the computer entity. _ 

[oTsgi The trusted component is impUcitlvMrusted^ 
The tested component is embedded as the root of any 
uusl which is placed in the computing platfomn andjhe 
co^uting platiorm as a whole cannot be any more 
ss truTed^fan'the amount ol trust placed in the trusted 

fSr^S virtue of the tmsted component monitoring 
S^eralio,^ Of the computer platf om,. the trust placed in 
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the trusted component can be extended to various parts 
of the computer platform, with the level and extent of 
trust placed in individual areas of the computer platform, 
being dependent upon the level and reliability with which 
the trusted component can monitor that particular area 
of the computing platform. 

[0061] Since the trusted areas of the computing plat- 
form are dependent upon the frequency, extent, and 
thoroughness with which the trusted component applies 
a set of integrity metric measurements to the computer 
platform, if the trusted component does not comprehen- 
sively measure ail measurable aspects of the operation 
of the computing platform at all times, then the level of 
trust placed in individual parts of the computer platform 
will form a subset of the overall trust placed in the trusted 
component itself. It the computing entity supports only 
a limited number of integrity metrics, a user of the equip- 
ment. Including a third party computing entity, is restrict- 
ed In its ability to reason about the level of trust which 
can be placed in the computing entity. 
[0062] Although various islands of the computer plat- 
form are trusted at various levels, depending upon the 
integrity metrics which are applied by the trusted com- 
ponent for measuring those areas of the computer plat- 
form, the level of trust placed in the computer platform 
as a whole is not as high as that which is inherent in the 
trusted component. That Is to say. whilst the trusted 
component space 502 is tnjsted at a highest level, the 
user space 501 may comprise several regions of various 
levels of trust. For example, applications programs 504 
may be relatively untrusted Where a user wishes to use 
the computer entity for an operation which involves a 
particularly high degree of confidentiality or secrecy, for 
example working on a new business proposal, setting 
pay scales for emptayees or equally sensitive opera- 
tions, then the human user may become worried about 
entering such details onto the computer platform be- 
cause of the risk that the confidentiality or secrecy of the 
information will become compromised. The confidential 
information must be stored in the computing entity, and 
islands of high trust may not extend over the whole com- 
puting platform uniformly and with the same degree of 
trust. For example, it may be easier for an intruder to 
access partrcular areas or files on the computing plat- 
form compared with other areas or files. 
[0063] Additionally, a user may wish to instruct the 
trusted component to perform certain functions, this 
poses the problem that all the commands to Instruct the 
trusted component must pass through the computer 
platform, which is at a lower level of trust than the trusted 
component itself. Therefore, there is a risk of the com- 
mands to the trusted component becoming compro- 
mised during their passage and processing through the 
computer platform. 

[0064] According to specific implementations of the 
present invention, the computer entity may enter a plu- 
rality of different states, each state having a correspond- 
ing respective level of trust, wherein the Individual levels 



of trust corresponding to different states may be differ- 
ent from each other, 

[0065] Referring to Fig. 6, there is illustrated schemat- 
ically a set of physical and logical resources available 
to the computing entity. In the general case, the com- 
puting entity comprises a plurality of input/output devic- 
es 600 for communicating with other computing entities, 
examples of such devices including a modem, a local 
area network port, an Ethernet card, a hard disk drive 
203. a floppy disk drive, and a smart card reader device 
103; a plurality of memory areas 601-603, resident on 
the hard disk 203, or ram 300; one or a plurality of op- 
erating systems 604-606; and one or a plurality of ap- 
plication programs 607-609. 

[0066] In this specification, by the term "state* when 
used In relation to a computing entity, it is meant a mode 
of operation of the computing entity in which a plurality 
of functions provided by the computing platform may be 
carried out. For example in a first state, the computing 
entity may operate under control of a first operating sys- 
tem, and have access to a first set of application pro- 
grams, a first set of files, and a first set of communica- 
tions capabilities, for example modems, disk drives, lo- 
cal area network cards, e.g. Ethernet cards. In a second 
state, the computing platform may have access to a sec- 
ond operating system, a second set of applications, a 
second set of data files and a second set of input/output 
resources. Similarly, for successive third, fourth states 
up to a total number of states Into which the computing 
entity can be set. There can be overlap between the fa- 
cilities available between twodifferent states. For exam- 
ple, a first and second state may use a same operating 
system, whereas a third state may use a different oper- 
ating system. 

[0067] Referring to Fig. 7 herein, there is illustrated 
schematically a state diagram representing a plurality of 
states into which the computing entity may be placed. 
In principle, there is no limit to the number of different 
states which the computing entity may be placed, but In 
the example shown in Fig. 7 three such states are 
shown. In the example of Fig. 7, the computing entity 
may be placed Into a first, trusted state 700, a second 
state 701 being a general purpose untrusted state and 
a third state 702 being a general purpose untrusted 
state. In the general case, the computing entity can re- 
side in a plurality of different states, each having a cor- 
responding respective level of trust. 
[0068] Trusted state 700 is distinguished from the 
second and third states 701 , 702 by virtue of the way in 
which the trusted state can be accessed. In one option, 
trusted state 700 can only be accessed by reference to 
the trusted component 202. However, in the preferred 
best mode implementation entry into the trusted state 
need not be controlled by the trusted component. To ac- 
cess the trusted state, a user may turn on the computing 
entity, that is to say turn on the power supply to the com- 
puting entity in a turn on process 703. Upon turning on 
the power supply, the computing entity boots up via the 
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BIOS file 301 in process 704. from a routine contajned 

I the computer BIOS. The --P^^'XSS?^ or"he 
either the trusted state 700. the second state 701 oMhe 
.K,^ «t«te 702. depending upon how the BIOS f.le_is 
wn^gu^ed. In the best mode herein; a user o, tne cu.. ,- 
puSr entity has the option, provided as a men" d^sPjay 
option on monitor lOO during boot up ^fj^^^^^^l^ 
entity or as a selectable option presented as a screen 
coa >Ien in any state, to enter eHher the trusted s^^^^^ 
700 or one of the other states 701. 702 by seiecuon^ 
'fo example on turn on . the BIOS r^J>;^^-^l'^^ 
to defauft boot up in to the second ^^'^J^ .^''^^ 
the second state, entry into a drtferent state 700 rnay 
r2u?e a key input from a user, which may involve entry 
oTL rasswori or confirmation of the users Klent.^ by 
1 user entering their smart card into smart card reader 

;^^91 once the computing entfty has entered a state 
o^r than the trusted state, e.g. the second state 701 
S th rdTate 702. then from those states user m^ 
be able to navigate to a different ^^^^^^^^^^^^ 
user may be able to navigate from the second state 701 
,„fhrtJld state 702 by nomial key stroke entry opera- 

a pointing device signal input, usually wrth reference 
back to the BIOS. This is shown schemafcally as select 

rrnTd~thetrustedstate7«..the^^^ 

BIOS rorocess 705 involves automatic mom- 
rig by the t^SS component in monitoring process 

^71] Toleavethetrustedstate700.thetrustedstate 
• only be left erther by turning the power o« >n powe^ 

~ uo me coaiputir.9 enWV • f»"" 

Z "Mbolh « »!<«* involve •'»<»~« 

S-icii, . «>»»r' 'uremic 



T^lSSloctt a Slate h which 10 «>»t by u<«« 
r e7?I»1Sn9dev,=eo.lheg,aph^lu-^^^^ 
^rtaerioreiWlehycfcWnsapolnleticonovera 

M "tw eon^onehl supplies "e9«y ni«r«. *. 
the loaded program "^^^"^^^ _ „ selected 

SkSes or CD readers/writers, and may have full ac- 

rs;e=Tar9rr^.X"^«=:- 
-raSeTrrp^s^i^^S 

40 processor, accounts package or ^f^^^'^^^^^^l 
'printer device, but in thatstate.useofahardd^l^^d^^^^^^ 

a finnov disk drive, or the internet may be resincieu. 
Ilch seleSon oT a separate state into which the com- 
pter mTbe bited may be pre-configured by ccjif^g- 
« Sr^fthe BIOS component 301 ■ A c^-^^^^^^^^ 

To an operating system loading prog«m to toad 
^axsxaxl The states themselves are P'^-^^f'^^^ 
so Silgandtherelevantopera^^^^^^^^^^ 
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state (701 ). or the third state (702). the user may navi- 
gate from that state to another state in step 805, which, 
in the best mode involves re-booting of the computing 
entity via the BIOS. 

[0073] Referring to Fig. 9 herein there is illustrated 
schematically process steps carried out by the comput- 
ing entity for entering a state via boot process 704 or re- 
boot process 705. 

[0074] In step 900. the computer enters a boot up rou- 
tine, either as a result of a power supply to the computing 
entity being tumed on. or as a result of a user inputting 
a reset instruction signal, for example by clicking a point- 
er icon over a reset icon displayed on the graphical user 
interface, giving rise to a reset signal. The reset signal 
is received by the trusted component, which monitors 
internal bus 304. The BIOS component 301 initiates a 
boot-up process of the computer platform in step 901. 
Trusted component 202 proceeds to make a plurality of 
integrity checks on the computer platform and in partic- 
ular checks the BIOS component 301 in order to check 
the status of the computer platform. Integrity checks are 
made by reading a digest of the BIOS component. The 
trusted component 202 acts to monitor the status of the 
BIOS, and can report to third party entities on the status 
of the BIOS, thereby enabling third party entities to de- 
termine a level of trust which they may allocate to the 
computing entity. 

[0075] There are several ways to implement integrity 
metric measurement of the BIOS. In each case, the 
trusted component is able to obtain a digest of a BIOS 
file very early on in the boot up process of the computer 
platform. The foltowing are examples: 

• The BIOS component may be provided as part of 
the trusted component 202, in which the architec- 
ture illustrated In Fig. 3 herein is modified such that 
BIOS 301 resides within trusted component 202. 

• . The first processor 201 of the computer platform 

may execute immediately after reset, an internal 
firmware component which computes a digest over 
a preset memory space occupied by a BIOS file. 
The first processor writes the digest to a preset 
memory space to which only the firmware compo- 
nent Is able to write to that menrbry space. The first 
processor reads from the BIOS file in order to boot 
the computer platform. At any time afterwards, the 
trusted component reads data from a preset loca- 
tion within the menrrary space to obtain a BIOS di- 
gest data. 

• The trusted component may be addressed at a 
memory location occupied by BIOS 301 . so that the 
trusted component contains a set of first native in- 
structions which are accessed after reset of the first 
processor 201. These instructions cause the first 
processor 201 of the computer platform to calculate 
a digest of the BIOS, and store it in the trusted com- 
ponent. The trusted component then passes control 
to the BIOS 301 once the digest of the BIOS is 



stored in the trusted component. 

• The trusted component may monitor a memory con- 
trol line and a reset line and verify that the BIOS 
component 301 is the first memory location ac- 
cessed after the computer platform resets. At some 
stage in the boot process, the BIOS passes control 
to the trusted component and the trusted compo- 
nent causes the first processor of the computer plat- 
form to compute a digest of the BIOS and retum the 
digest to the trusted component. The process of 
computing the digest and writing the result to the 
trusted component must be atomic. This action may 
be started by the trusted component, causing the 
computer platform's processor to read a set of na- 
tive instructions from the trusted component which 
causes the processor to compute a digest over a 
memory space occupied by the BIOS, and to write 
the digest data to the memory space occupied by 
the trusted component. Alternatively, this action 
could be started by the trusted component causing 
the first processor of a platform to execute an in- 
struction, where the processor computes a digest 
over a preset memory space occupied by the BIOS 
and writes the digest to a preset memory space oc- 
cupied by the trusted component. 

• A loading program for loading a selected operating 
system Is itself loaded by the BIOS program. Integ- 
rity metrics of the operating system loading program 
are also measured by computing a digest of the 
loading program. 

[0076] In one embodiment, trusted component 202 
may interrogate individual components of the computer 
platform, in particular hard disk drive 203. microproces- 
sor 201. and RAM 301. to obtain data signals directly 
from those individual components which describe the 
status and condition of those components. Trusted com- 
ponent 202 may compare the metric signals received 
from the plurality of components of the computer entity 
with the pre-recorded metric data stored in a memory 
area resented for access by the trusted components. 
Provided that the signals received from the components 
of the computer platform coincide with and match those 
of the metric data stored within the memory, then the 
trusted component 202 provides an output signal con- 
firming that the computer platform is operating correctly. 
Third parlies, for example, other computing entities 
communicating with the computing entity may lake the 
output signal as confirmation that the computing entity 
is operating correctly, that is to say is trusted. 
[0077] In step 903 BIOS generates a menu display on 
monitor 100 offering a user a choice of state options, 
including a trusted state 700. The user enters details of 
which state is to be entered by making key entry to the 
graphical user interface or data entry using a pointing 
device, e.g. mouse 105. The BIOS receives key inputs 
from a user which instruct a state in to which to boot in 
step 904. The trusted component may also require a 
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separate input from confirmation key 104 requiring 
physical activation by a human user, which bypasses 
internal bus 304 of the computer entity and accesses 
trusted component 202 directly, in addition to the user 
key inputs selecting the state. Once the BIOS 301 has 
received the necessary key inputs instructing which 
state is required, the processing of the set of configura- 
tion instructions stored in BIOS 301 occurs by micro- 
processor 201 , and instructs which one of a set of state 
options stored in the BIOS file, the computer platfomi 
will configure itself into. Each of a plurality of state se- 
lections into which the computer platform may boot may 
be stored as separate boot options within BIOS 301. 
with selectton of the boot option being controlled in re- 
sponse to keystroke inputs or other graphical user in- 
Duts made by a user of the computing entity Once the 
correct routine of BIOS file 301 is selected by the user, 
then in step 906, the BIOS file then releases control to 
an operating system toad program stored in a memory 
area of the computer platform, which activates boot up 
of the computer platform into an operating system of the 
selected state. The operating system load program con- 
tains a plurality of start up routines lor initiating a state, 
which include routines for starting up a particulBr oper- 
ating system corresponding to a selected State. The op- 
erating load program boots up the computer platform in- 
to the selected state. The operating system measures 
the metrics of the load program which is used to instan 
the operating system, in step 907. Once in the selected 
state trusted component 202 continues, in step 908. to 
perform on an ongoing continuous basis further integrity 
check measurements to monitor the selected state con- 
tinuously, looking for discrepancies, faults; and vana- 
tions from the nomnal expected operation of the compu- 
ter platform within that state. Such integrity measure- 
ments are made by trusted component 202 sending out 
interrogation signals to individual components of the 
computer platform, and receiving response signals from 
the individual components of the computer platform, 
which response signals the trusted component may 
compare with a predetermined preloaded set of expect- 
ed response signals corresponding to those particular 
states which are stored within the memory of the trusted 
component, orthe trusted component 202 compares the 
integrity metrics measured from the computer platform 
in the selected state with the set of integrity metrics in- 
itially measured as soon as the computer platform en- 
ters the selected stale, so that on an ongoing basis any 
changes to the integrity metrics from those initially re- 
corded can be detected. 

r0078] During the boot up procedure, although the 
trusted component monitors the boot up process earned 
out by the BIOS component, it does not necessanly con- 
trol the boot up process. The trusted component ac- 
quires a value of the digest of the BIOS component 301 
at an early stage in the boot up procedure In some of 
the alternative embodiments, this may involve the rust- 
ed component seizing control of the computer platfomi 



before boot up by the BIOS component commences. 
However, in alternative variations of the best mode im- 
plementation described herein, rt is net necessary for 
the trusted component to obtain control of the boot up 
s process, but the trusted component does monitor a 
computer platform, and in particular the BIOS compo- 
nent 301. By monitoring the computer platform, the 
trusted component stores data which describes which 
BIOS options have been used to boot up the computer. 
10 and which operating system has been selected. The 
trusted component also monitors the loading program 
used to install the operating system. 
r00791 There will now be described an example of op- 
eration of a computer entity within a trusted state m a 
1$ first specific mode of operation according to the present 
invention. ^ . ., 

[0080] Referring to Figs. 1 0 and 11 herein, there is il- 
lustrated schematically usage of the computing entity in 
a trusted state, extending over a plurality of user ses- 
20 slons. lor example usage of the computing entity over 
two successive days, whilst tuming off or re-booting the 
computing entity between sessions. 
[00811 Referring to Fig. 1 0 herein, a user boots up the 
computing entity into a trusted state 700 as herein be- 
2S foredescribed inafirstboot process 1000. Inthe tmsted 
state the user commences a first session 1001 of usage 
of the computing entity. Within the session, because the 
computer platform is booted into the trusted state, a pre- 
determined set of logical and physical resources are 
30 available to the user within that trusted state. Typically, 
this would include access to an operating systerri and a 
predetermined selection of applications. The leve^ of 
trust which applies to the trusted state varies depending 
upon the number, complexity and reliability orthe phys- 
35 icaland logical resources available to the user withm the 
trusted state. For example, where the trusted state is 
configured to use a well-known reliable operating sys- 
tem for example UNIX, and a reliable word processing 
package with minimal access to peripheral devices of 
40 the computer platfomi being permitted in the trusted 
state, for example no access to modems, and access to 
output data restricted to a single writer drive, e.g. a CD 
writer then this may have a relatively high degree of 
trust m another trusted state, where more facilities are 
4S available, the trust level would be different to that in a 
trusted state m which more limited access to physical or 
logical resources. However, each trusted state is char- 
acterized in that the access to facilities is predetermined 
and known and can be verified by trusted component 
so 202 During the first session 1001, a user may call up 
an application 1002 available in the trusted state and 
way enter user data 1003. for example via a keyboard 
device. The user data 1003 is processed according to 
the application 1002 in processing operation 1004. re- 
BS suiting in processed output user data 1 005. During the 
course of the session, by virtue of using the computer 
platform, operating system and applications, the user 
may have reconfigured the applicattons and/or operat- 
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ing system for a specific usage within the session. For 
example. In a word processor application, documents 
may have been formatted with certain line spacing, font 
styles etc. To avoid these settings being lost on leaving 
the trusted state, such settings comprising session data 
1006 may be stored during the session. Similarly, to 
avoid the effort made by the user during the session be- 
ing lost, the output user data may be stored during the 
session. However, the user session 1001 only exists in 
the trusted state as long as the trusted state exists. 
Therefore, to avoid loss of settings and data from the 
first session 1001 in the trusted state 700, the output 
user data and sessbn data must be stored as stored 
output user data 1007 and stored session data 1008 re- 
spectively before the trusted state can be exited. The 
stored output user data 1007 and stored session data 
1008 may be saved to a device available in the trusted 
state, tor example hard disk drive 203 or a CD reader/ 
writer peripheral tor use In a further successive session, 
or be encrypted and signed and then saved at a remote 
location, accessed over a network. Preferably, signing 
of user data and session data is done by the trusted 
component and/or the user's smartcard. Exit from the 
trusted states involves closing the first user session 
1001, and rebooting the computing entity via re-boot 
process 705, or powering down the computing entity via 
power down process 707. In the first user session in the 
trusted state, processing of user input data occurs, and 
the output of the process is the output processed data. 
The output processed data is stored after processing of 
the data has tenninated, and before the session is end- 
ed, and before the trusted state is exited. 
[0082] Referring to Fig. 11 herein, there is illustrated 
schematically operation of the computing entity on a 
second day, in a second session in the same trusted 
state 700. Between the first and second sessions the 
trusted state 700 disappears completely, since the com- 
puting entity leaves the trusted state 700. On leaving the 
trusted state 700. apart from the stored output user data 
and stored session data, the computer platform saves 
no information concerning the trusted state other than 
that which is pre-programmed into the BIOS 301 and 
the loading programs and the trusted component 202. 
Therefore, for all practical purposes, on power down or 
re-boot, the trusted state 700 ceases to exist. However, 
the ability to re-enterthe trusted state 700 through a new 
operation of the boot process or re-boot process re- 
mains within the capabilities or the computing entity. The 
trusted state is entered via a second boot process 1100 
as herein before described. Once the trusted state is en- 
tered, a second session 1101 commences. Within the 
second session 1101 the operating system, applications 
and facilities available from the computer platform are 
selected from the same set of such physical and logical 
resources as where available.prevlously for the first ses- 
sion. However, usage of those facilities within the sec- 
ond session may vary according to a user's Iteystrolte 
instructions. Second session 1101 may effectively com- 



prise a continuation of first session 1001 . The user may 
call up the same application 1 002 as previously and may 
effectively continue the work carried out during the first 
session in the second session 1101. However, because 
5 exiting the trusted state involves the computer platform 
in complete amnesia of all events which occurred during 
that trusted state, after the state has been left, if the 
trusted state is reactivated and the new session is com- 
menced, the application 1002 has no memory of its pre- 
10 vious configuration. Therefore, stored output session 
data 1008 produced at the end of the first session 1001 
must be input into the second session 1101 in order to 
reconfigure the application, to save for example the set- 
tings of line spacing and format, and the output userdala 
IS 1005 stored as stored output user data 1007 must be 
re-input into the second session 1101 for further work to 
continue on that data. The stored session data 1 008 and 
user data 1007 may be retrieved from a storage medi- 
um, decrypted and authenticated and then loaded into 
20 the' trusted state, to configure the second session as a 
continuation of the first session. Preferably, integrity 
measurement checks are performed by the trusted com- 
ponent on the user data and session data imported from 
the smartcard or storage medium, before that data is 
2S loaded. During the second session 1101, further user 
data 1102 is input by the user, and the further data is 
processed together with the stored first output data 1 007 
according to the applteation 1002 configured according 
to the first stored output session data 1008 in process 
30 1103. Processing of the data 1103 during the second 
session 1101 results In a new output user data 1104. If 
the application or operating system used in the second 
session has changed in configuration during the second 
session, this results in a new session data 1105. As with 
3$ the first session, in order to close the session without 
k)sing the settings of the application program, and op- 
erating system, and without losing the benefit of the 
work carried out during the second session, both the 
new session data 1105 and the new output user data 
40 1 1 04 need to be stored. These data are stored respec- 
tively as a stored new output user data 1106 and a 
stored new session data 1107. 
[0083] At the end of the second session, the session 
is closed after having saved the work produced in the 
4S second sesston. and the trusted state is exited via a 
power down process or re-boot process 705, 707. All 
memory of the trusted state and second session other 
than that stored as the session data 1107 and stored 
output user data 11 06 is lost from the computer platform. 
so [0084] It will be appreciated that the above example 
is a specific example of using a computer in successive 
first and second sessions on different days. In between 
use of those sessions, the computing entity may be used 
in a plurality of different states, for different purposes 
55 and different operations, with varying degrees of trust, 
in operating states which have a lower level of trust, for 
example the second and third states (being 'untrusted* 
states) the computer entity will not lose memory of this 
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data configuration between transitions from state to 
state. According to the above method of operation, the 
trusted state 700 may be activated any number of times, 
and any number of sessions carried out. However, once 
the trusted state is exited, the trusted state has no mem- 
ory of previous sessions. Any configuration of the trust- 
ed state must be by new input of data 1003. 1102. or by 
Input of previously stored sesston data or user data 
1007. 1008, 1106. 1107. 

[0085] In the above described specific implementa- 
tions specific methods, specific embodiments and 
modes of operation according to the present invention, 
a trusted stale comprises a computer platform running 
a set of processes all of which are in a known state. 
Processes may be continuously nrwnitored throughout 
a session operating in the trusted state, by a trusted 

component 202. 

[0086] Referring to Fig. 12 herein, there is illustrated 
schematically a second mode of operation of a trusted 
Slate, in which the trusted component itself 202 can be 
reconfigured by a user. In the second mode of operation, 
the trusted component stores a predetermined set o1 da- 
ta describing metrics which apply when the computer 
platform Is in the trusted state in which the component 
itself can be reconfigured. A trusted state 1200 is en- 
tered as described previously herein through boot proc- 
ess 704 or re-boot process 705. In the trusted state, a 
user enters a command to call up a trusted component 
configuration menu in step 1201. The trusted compo- 
nent configuration menu comprises a set of instructions 
stored in memoiy and which is only accessible via a 
trusted state. In order to make changes to the menu, 
various levels or security may be applied. For example, 
a user may be required to enter a secure password, for 
example a password comprising numbers and letters or 
other characters in step 1202. The trusted component 
monitors the trusted state from which the trusted com- 
ponent can be reconfigured by comparing measured in- 
tegrity metrics from the computer platform whilst in the 
trusted state, with the set of pre-stored integnty metrics 
which the trusted component stores in its own memory 
area the trusted component will not allow a user to re- 
configure the trusted component 202 unlessthe integrity 
metrics measured by the trusted component when the 
computer platform is in the trusted state from which the 
trusted component can be reconfigured match the pre- 
stored values in the trusted component's own memory, 
thereby verifying that the computer platform Is operating 
correctly in the trusted state. The trusted component de- 
nies a user reconfiguration of the trusted component if 
the trusted component detects that the measured integ- 
rity metrics of the computer platform do not match those 
predetermined values which are stored m the trusted 
component's own internal memory, and are those of the 
trusted state from which the trusted component can be 
re-configured. 

[0087] Additionally or optionally, the user may be re- 
quired to insert a smart card into smart card reader 103 



in step 1 203 following which the trusted component ver- 
ifies the Identity of the user by reading data from the 
smart card via smart card Interface 305. Additionally, the 
user may be required to Input physical confirmation erf 
s his or her presence by activation of confimnatlon key 104 
providing direct input Into trusted component 202 as de- 
scribed wHh reference to Fig. 3 herein in step 1 204. Data 
describing the trusted state, lor example, which operat- 
ing system to use. and which applicalions to use. may 
10 be stored on the smart card and used to boot up the 
computer platform into the trusted state. 
[0088] Once the security checks including the pass- 
word verification by smart card and/or activation of the 
confirmation key are accepted by the trusted compo- 
75 nent the file configuration menu is displayed on the 
araphksal user interface under control of trusted compo- 
nent 202 in step 1205. Reconfiguration of the trusted 
corrponent can be made using the menu in step 1206 
by the user. Depending upon the level of security ap- 
20 plied, which Is an implementation speciffc detail of the 
trusted component configuration menu, the user may 
need to enter further passwords and make further con- 
firmation key activations when entering data into the 
menu itself. In step 1 207. the user exits the trusted com- 
as ponent reconflguratton menu having reconfigured the 
trusted component. 

[0089] In the trusted component configuration menu, 
a user may reconfigure operation of the trusted compo- 
nent. For example, a user may change the integrity met- 
30 rics used to monitor the computer platform. 

[0090] By storing predetermined digest data corre- 
sponding to a plurality of integrity metrics present in a 
state inside the trusted component's own memoiy. this 
may provide the trusted component with data which it 
35 may compare with a digest data of a state into which the 
computer platform Is booted, for the trusted component 
tocheckthatthecomputerplattomn has not been booted 

into an unauthorized state. 

[0091] The trusted component primanly monitorsboot 
40 up of the computer platfomt. The trusted component 
does not necessarily take control of the computer plat- 
form If the computer platform boots Into an unauthorized 
state, although optionally, software may be provided 
Within the trusted component which enables the misted 
4S component to take control of the computer platform if 
the computer platform boots into an unauthorized, or an 
unrecognized state. 

[0092] When in the trusted state, a user may k>ad in 
new applications to use in that trusted state, provided 
so the user can authenticate those applications for use in 
the trusted state. This may involve a user entering a sig- 
nature data of the required application to the trusted 
component, to allow the trusted component to verify the 
applteation by means of its signature when loading the 
55 applicatkjn into the trusted state. The tmsted compo- 
nent checks that the signature of the application is the 
same as the signature which the user has loaded Into 
the trusted component before actually loading the appli- 
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